When using the "vastool list user <username>" command you may see the following:
jdoe@example.com:VAS:1006:1000:John Doe:/home/jdoe:/bin/false
When you disable a user's Unix account in Active Directory (AD) by unchecking the "Unix Enabled" check box, the user's login shell is set to /bin/false. This prohibits the user from logging in via interactive login utilities.
In order for the user to be able to login the account must be enabled. There are two ways of accomplishing this:
1. Using Active Directory tools:
- Open Active Directory Users and Computers
- Right-click the user account and select "Properties"
- Click on the "Unix Account" tab
- Check the "Unix Enabled" check box
or
2. On the client using the vastool binary:
- /opt/quest/bin/vastool -u <ADAdmin> setattrs <username> loginShell /bin/sh
- /opt/quest/bin/vastool flush
or wait for the blackout period to expire
To check the attribute was set, you can run the following command:
/opt/quest/bin/vastool -u <ADAdmin> attrs <username> loginShell
Troubleshooting user can not login:
1 - Can you list the user ? vastool list user <username>
If you can not list the account, it maybe missing the User Principal Name (UPN) or a Unix attribute.
UPN must be filled out go to Active Directory Users and computer, go to the properties of the User’s account, go to Account tab and make sure the User logon name is filled in.
2 - Is the account in an access control group? If yes list the group (vastool list group <groupname>. Did it show the user a member of the group?
3 - vastool nss getpwnam < username>
Does the second field show VAS? If not there is probably a conflict with a local account. grep <username> /etc/passwd and grep <uid> /etc/passwd
4 - vastool user checkaccess <username> Does it report allowed?
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center